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Wednesday 4 February 2020 


Re: Draft data subject access request code of practice - consultation 


Dear Ms Denham 


Thank you for drafting the above Code of Practice, and thank you for allowing firms like ours the opportunity 
to comment on it. 


We have read with interest the new guidance and welcome the majority of its clear points for consideration 
and practice. 


However, there are two issues we would like to raise. We hope our comments will support greater clarity in 
the final version of the Code. 


1. Personal Information regarding health data 


From the draft guidance we understand that personal information pertaining to someone's health should not 
be disclosed via a DSAR unless: 
i. the data subject has already seen or already knows about the personal information in question, or 
ii. the opinion from an appropriate health professional has been obtained to confirm that disclosure 
would not constitute serious harm. Further, if necessary, such opinions can be asked for 
repeatedly. 


As a law firm where the majority of our business is to defend businesses or individual clients where a claim has 
been made against them and medical reports are required as evidence to settle claims it is unclear how the 
above criteria should be applied. In particular it is unclear if we should withhold medical reports, or seek an 
expert opinion on serious harm prior to disclosure in every case. 


Often claims we deal with affect the health of the claimant and, to appropriately defend our client, (the 
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defendant) we require independent expert medical opinion about the health of the opposing side (the 
claimant). To do this we request the claimant's written permission to contact their doctor or healthcare 
provider so that they can disclose this information to us. 


Given the above, claimants will be aware that we are accessing their medical records and assessing their state 
of health either following an examination by our medical expert or our experts assessing their medical records. 
However, we are not sure if the data subject should be aware of the health condition itself, or also know what 
are the conclusions and recommendations of the health profession. These reports could be relied upon and 
produced in court. However, this is not true in every case. Further, to make the claimant aware of such reports 
would not be our responsibility but more usually opposing counsel i.e. the claimant’s own solicitors. Currently 
there is no mechanism to give us assurance that this has been done. 


Whether a claimant has seen or knows about our medical reports would be unclear given the current draft 
guidance. Therefore, the extent that such reports need to have been seen or known about before disclosing 
them as part of DSAR needs to be clearer. Equally, when BLM would require further medical expertise 
regarding their potential harm to the data subject/requester requires defined criteria. 


Perhaps, as a solution, it would be comforting to know if the written permission we obtain before medical 
records are accessed is sufficient to meet the bar of seen or known. It would also be helpful to have defined 
criteria as to when an expert medical opinion is required to conclude whether any information in the scope of 
the DSAR could result in serious harm. 


2. Manifestly unfounded or excessive 
BLM has only invoked this exemption once. As yet, we have not received the ICO’s ruling on this case. 


However, we felt compelled to categorise a DSAR as manifestly unfounded because the requester, in our view: 

+ Targeted particular employees against whom they had a personal issue. We represented the data 
subject in a losing criminal case. This led to a subsequent campaign of complaints and harassment 
stemming from a complaint against our employees who handled the case. 

« The requester also systematically sent requests and complaints as part of a campaign with the 
intention of causing disruption in our view. All of the data subject’s complaints have been considered 
and handled properly by us and others to whom they have complained. Upon refusal of their DSAR, 
the data subject insisted we should have asked them about the purpose of the request and confirmed 
that it was to seek avenues to make another complaint. 


We should be pleased if the ICO has any further examples it can provide in relation to unsubstantiated 
accusations. Such a phrase is highly subjective dependent on the view of the accuser and those being 
accused. Without further examples it is possible that data controllers will inappropriately refuse DSARs based 
on a wide interpretation that accusations must be substantiated first. However, the DSAR itself may be vital to 
proving the accusations. 


A similar argument could be made of the phrase ‘personal grudge’. Employees undergoing disciplinary 
proceedings are likely to make DSARs to support their views of particular colleagues. Again, our view is that 
refusal of DSARs made in these contexts, based on this exemption are likely to rise without further examples of 
the ICO's view. 


Ido hope that the above views are of help to the ICO’s final drafting of the Code and we at BLM wish the 
authors of the code and your Office well. 


Yours sincerely 


BLM 


